Update to Windows Update, WSUS Coming This Week

Update to Windows Update, WSUS Coming This Week

As part of the phased mitigation strategy we outlined on the MSRC blog, an update was released with Security Advisory 2718704 that prevents unauthorized certificates from being used to attack Windows systems. In an effort to provide additional protection for customers, the next action in our mitigation strategy is to further harden Windows Update as a defense-in-depth precaution. Now that we have seen broad adoption of Security Advisory 2718704, our deployment of the security hardening update to Windows Update and Windows Server Update Services (WSUS) infrastructures will begin to roll out over the next few days.

Our hardening introduces two defense-in-depth changes. First, we have further hardened the Windows Update infrastructure so that the Windows Update client will only trust files signed by a new certificate that is used solely to protect updates to the Windows Update client. Second, we are strengthening the communication channel used by Windows Update in a similar way. WSUS customers will also receive an update; more details will be found on the Knowledge Base when the update becomes available.

As with past updates, this update will not change your current Windows Update or Automatic Updates settings. Anytime Windows Update (or Automatic Updates) is turned on, either set to automatically install updates or notify to install updates, Windows Update will take care of updating itself.

It’s important to keep your PC up to date with the latest updates to keep your PC running smoothly and safely.

Something I've never had a good handle on is how Microsoft supercedes hotfixes. We have deployed KB2607070 which is a newer Windows Update Agent that allows self-published content larger than several hundred MB to install successfully. Will the new Update Agent that is released this week include most intermediate hotfixes such as that, or will I have to wait for that KB article to be updated with a newer build?

We've also deployed KB2607070 so would like to know that answer too. Also, will the security certificate changes affect certificates issued and used internally for local publishing to WSUS (via System Center Essentials or System Center Update Publisher), or will those certificates continue to be trusted as per Group Policy settings?

Bijoy

13 Jun 2012 7:11 AM

Wsus Server Crashed . Error ( mmc has detected an error in a snap-in and will unload it )